Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 394095 (CVE-2011-4597) - <net-misc/asterisk-1.8.7.2 Multiple vulnerabilities (CVE-2011-{4597,4598})
Summary: <net-misc/asterisk-1.8.7.2 Multiple vulnerabilities (CVE-2011-{4597,4598})
Status: RESOLVED FIXED
Alias: CVE-2011-4597
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://downloads.asterisk.org/pub/sec...
Whiteboard: C3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-12-09 01:35 UTC by Sean Amoss (RETIRED)
Modified: 2012-02-22 20:51 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sean Amoss (RETIRED) gentoo-dev Security 2011-12-09 01:35:38 UTC
AST-2011-013 - http://downloads.asterisk.org/pub/security/AST-2011-013.pdf

Summary: 
Possible remote enumeration of SIP endpoints with differing NAT settings

Description: 
It is possible to enumerate SIP usernames when the general and user/peer NAT settings differ in whether to respond to the port a request is sent from or the port listed for responses in the Via header. In 1.4 and 1.6.2, this would mean if one setting was nat=yes or nat=route and the other was either nat=no or nat=never. In 1.8 and 10, this would mean when one was nat=force_rport or nat=yes and the other was nat=no or nat=comedia.

Corrected In:
As this is more of an issue with SIP over UDP in general, there is no fix supplied other than documentation on how to avoid the problem. The default NAT setting has been changed to what we believe the most commonly used setting for the respective version in Asterisk 1.4.43, 1.6.2.21, and 1.8.7.2.


AST-2011-014 - http://downloads.asterisk.org/pub/security/AST-2011-014.pdf

Summary:
Remote crash possibility with SIP and the “automon” feature enabled

Description:
When the “automon” feature is enabled in features.conf, it is possible to send a sequence of SIP requests that cause Asterisk to dereference a NULL pointer and crash.

Corrected In:
Asterisk Open Source 1.6.2.21, 1.8.7.2
Comment 1 Tony Vroon gentoo-dev 2011-12-12 11:24:44 UTC
+*asterisk-10.0.0_rc3 (12 Dec 2011)
+
+  12 Dec 2011; Tony Vroon <chainsaw@gentoo.org> -asterisk-10.0.0_rc2.ebuild,
+  -asterisk-10.0.0_rc2-r1.ebuild, +asterisk-10.0.0_rc3.ebuild:
+  Security update addresses AST-2011-013 (disparate general/peer NAT settings
+  exposing valid usernames) and AST-2011-014 (null pointer derefence in INFO
+  command reply if automon feature is enabled). Cull the 10 branch by removing
+  vulnerable ebuilds. For security bug #394095.

+*asterisk-1.8.7.2 (12 Dec 2011)
+
+  12 Dec 2011; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.8.7.1-r1.ebuild,
+  -asterisk-1.8.7.1-r2.ebuild, +asterisk-1.8.7.2.ebuild:
+  Security update addresses AST-2011-013 (disparate general/peer NAT settings
+  exposing valid usernames) and AST-2011-014 (null pointer dereference in INFO
+  command reply if automon feature is enabled). Cull the 1.8 branch by removing
+  vulnerable ebuilds except current stable. For security bug #394095.

Arches, please test and mark stable:
=net-misc/asterisk-1.8.7.2
Target KEYWORDS="amd64 x86"

For testing, please try several USE-flag combinations and see if the resulting binary can be stopped and started for several cycles on the default configuration files. The wrapper will inform you if the binary failed to start or stop normally, which is a test failure.
Comment 2 Agostino Sarubbo gentoo-dev 2011-12-12 15:35:57 UTC
C3 because will not happen with default config.

I have filed bug 394459. It is not a blocker.
Comment 3 Ian Delaney (RETIRED) gentoo-dev 2011-12-12 17:45:15 UTC
amd64:
gentoo64 asterisk # USE="alsa bluetooth caps iconv ldap samples usb vorbis -ais -calendar curl -dahdi -debug -doc -freetds -gtalk -http -jabber -jingle -lua -mysql -newt odbc -osplookup -oss -portaudio -postgres -radius -snmp span speex sqlite -sqlite3 -srtp -static -syslog" emerge asterisk

gentoo64 asterisk # /etc/init.d/asterisk restart
 * asterisk: waiting for net.wlan0 (50 seconds)
 * WARNING: asterisk is scheduled to start when net.wlan0 has started
gentoo64 asterisk # /etc/init.d/asterisk restart
 * Killing wrapper script ...                                                                                                   [ ok ]
 * Stopping asterisk PBX gracefully ...                                                                                         [ ok ]
 * Starting asterisk PBX ...
 *   Core dump size            : unlimited
 *   Core dump location        : /var/lib/asterisk/coredump
 *   Max open filedescriptors  : 4096
 *   Starting asterisk as      : asterisk                                                                                       [ ok ]

all system good all system go
Comment 4 Agostino Sarubbo gentoo-dev 2011-12-12 18:40:51 UTC
Works too for me.

Stable for AMD64, thanks Ian.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2011-12-15 18:48:10 UTC
CVE-2011-4598 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4598):
  channels/chan_sip.c in Asterisk Open Source 1.6.2.x before 1.6.2.21 and
  1.8.x before 1.8.7.2, when automon is enabled, allows remote attackers to
  cause a denial of service (NULL pointer dereference and daemon crash) via a
  crafted sequence of SIP requests.

CVE-2011-4597 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4597):
  The SIP over UDP implementation in Asterisk Open Source 1.4.x before 1.4.43,
  1.6.x before 1.6.2.21, and 1.8.x before 1.8.7.2 uses different port numbers
  for responses to invalid requests depending on whether a SIP username
  exists, which allows remote attackers to enumerate usernames via a series of
  requests.
Comment 6 Markus Meier gentoo-dev 2011-12-26 14:31:26 UTC
x86 stable, all arches done.
Comment 7 Agostino Sarubbo gentoo-dev 2011-12-26 14:32:40 UTC
@security, please vote.
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2011-12-27 05:20:37 UTC
Thanks, folks. GLSA Vote: no.
Comment 9 Sean Amoss (RETIRED) gentoo-dev Security 2012-02-22 20:51:13 UTC
GLSA vote: no. Closing [noglsa]